W3C home > Mailing lists > Public > www-font@w3.org > April to June 2010

RE: About using CORS

From: Sylvain Galineau <sylvaing@microsoft.com>
Date: Tue, 4 May 2010 22:43:35 +0000
To: "robert@ocallahan.org" <robert@ocallahan.org>, "Levantovsky, Vladimir" <Vladimir.Levantovsky@monotypeimaging.com>
CC: Anne van Kesteren <annevk@opera.com>, "public-webfonts-wg@w3.org" <public-webfonts-wg@w3.org>, "www-font@w3.org" <www-font@w3.org>
Message-ID: <045A765940533D4CA4933A4A7E32597E21484C8D@TK5EX14MBXC120.redmond.corp.microsoft.com>
Actually, the more I think about it, the more obvious it is that I must backtrack on linking CORS with font security concerns. My bad.
The latter are real, but CORS adds, by design, a very limited benefit. It adds a small extra step for the attacker but that’s noise at
best.

But it is still desirable to allow sites to control how their resources are utilized and it is as valuable here as it would be for other resource types.
If we wish we could go back and do it then surely now is the time to get this right before web fonts are too prevalent to change anything.

That it coincides with the majority of EULAs also still matters if we aim to improve on the current less-than-exciting status quo. But that will
really work only if the vast majority of users use browsers that do this interoperable. If half the browsers out there allow any font to be
used in a page regardless of origin domain, we might still end up back to square one.

From: Sylvain Galineau
Sent: Tuesday, May 04, 2010 2:25 PM
To: 'robert@ocallahan.org'; Levantovsky, Vladimir
Cc: Anne van Kesteren; public-webfonts-wg@w3.org; www-font@w3.org
Subject: RE: About using CORS

Yes, that is true of CORS in general. If the attacker can link to their own sites, they can do all kinds of things besides make you load font resources as well.

But that is also true wrt the first point in your original argument: http://lists.w3.org/Archives/Public/www-font/2009JulSep/0827.html


From: rocallahan@gmail.com [mailto:rocallahan@gmail.com] On Behalf Of Robert O'Callahan
Sent: Tuesday, May 04, 2010 1:30 PM
To: Levantovsky, Vladimir
Cc: Sylvain Galineau; Anne van Kesteren; public-webfonts-wg@w3.org; www-font@w3.org
Subject: Re: About using CORS

For what it's worth, I don't think this security argument holds much water. The attacker can always send Access-Control-Allow-Origin:* from their server to enable cross-site usage. The same-origin check may discourage authors from linking to other people's sites (which later get compromised or domain-stolen), thus providing some protection that way, but that's a very weak argument IMHO.

Rob
--
"He was pierced for our transgressions, he was crushed for our iniquities; the punishment that brought us peace was upon him, and by his wounds we are healed. We all, like sheep, have gone astray, each of us has turned to his own way; and the LORD has laid on him the iniquity of us all." [Isaiah 53:5-6]
Received on Tuesday, 4 May 2010 22:44:12 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 22:37:34 UTC